2.4.x/docs/manual/mod/mod_dav.xml - httpd - Git at Google

 <?xml version="1.0"?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
 <!-- $LastChangedRevision$ -->

 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->

 <modulesynopsis metafile="mod_dav.xml.meta">

 <name>mod_dav</name>
 <description>Distributed Authoring and Versioning
 (<a href="http://www.webdav.org/">WebDAV</a>) functionality</description>
 <status>Extension</status>
 <sourcefile>mod_dav.c</sourcefile>
 <identifier>dav_module</identifier>

 <summary>
     <p>This module provides class 1 and class 2 <a
     href="http://www.webdav.org">WebDAV</a> ('Web-based Distributed
     Authoring and Versioning') functionality for Apache. This
     extension to the HTTP protocol allows creating, moving,
     copying, and deleting resources and collections on a remote web
     server.</p>
 </summary>
 <seealso><directive module="mod_dav_fs">DavLockDB</directive></seealso>
 <seealso><directive module="core">LimitXMLRequestBody</directive></seealso>
 <seealso><a href="http://www.webdav.org">WebDAV Resources</a></seealso>

 <section id="example"><title>Enabling WebDAV</title>
     <p>To enable <module>mod_dav</module>, add the following to a
     container in your <code>httpd.conf</code> file:</p>

     <highlight language="config">Dav On</highlight>

     <p>This enables the DAV file system provider, which is implemented
     by the <module>mod_dav_fs</module> module. Therefore, that module
     must be compiled into the server or loaded at runtime using the
     <directive module="mod_so">LoadModule</directive> directive.</p>

     <p>In addition, a location for the DAV lock database must be
     specified in the global section of your <code>httpd.conf</code>
     file using the <directive module="mod_dav_fs">DavLockDB</directive>
     directive:</p>

     <highlight language="config">
       DavLockDB /usr/local/apache2/var/DavLock
     </highlight>

     <p>The directory containing the lock database file must be
     writable by the <directive module="mod_unixd">User</directive>
     and <directive module="mod_unixd" >Group</directive> under which
     Apache is running.</p>

     <p>You may wish to add a <directive module="core" type="section"
     >Limit</directive> clause inside the <directive module="core"
     type="section">Location</directive> directive to limit access to
     DAV-enabled locations. If you want to set the maximum amount of
     bytes that a DAV client can send at one request, you have to use
     the <directive module="core">LimitXMLRequestBody</directive>
     directive. The "normal" <directive module="core"
     >LimitRequestBody</directive> directive has no effect on DAV
     requests.</p>

     <example><title>Full Example</title>
     <highlight language="config">
 DavLockDB "/usr/local/apache2/var/DavLock"

 &lt;Directory "/usr/local/apache2/htdocs/foo"&gt;
     Require all granted
     Dav On

     AuthType Basic
     AuthName DAV
     AuthUserFile "user.passwd"

     &lt;LimitExcept GET POST OPTIONS&gt;
         Require user admin
     &lt;/LimitExcept&gt;
 &lt;/Directory&gt;
       </highlight>
     </example>

 </section>

 <section id="security"><title>Security Issues</title>

     <p>Since DAV access methods allow remote clients to manipulate
     files on the server, you must take particular care to assure that
     your server is secure before enabling <module>mod_dav</module>.</p>

     <p>Any location on the server where DAV is enabled should be
     protected by authentication.  The use of HTTP Basic Authentication
     is not recommended. You should use at least HTTP Digest
     Authentication, which is provided by the
     <module>mod_auth_digest</module> module. Nearly all WebDAV clients
     support this authentication method. An alternative is Basic
     Authentication over an <a href="../ssl/">SSL</a> enabled
     connection.</p>

     <p>In order for <module>mod_dav</module> to manage files, it must
     be able to write to the directories and files under its control
     using the <directive module="mod_unixd">User</directive> and
     <directive module="mod_unixd">Group</directive> under which
     Apache is running.  New files created will also be owned by this
     <directive module="mod_unixd">User</directive> and <directive
     module="mod_unixd">Group</directive>.  For this reason, it is
     important to control access to this account.  The DAV repository
     is considered private to Apache; modifying files outside of Apache
     (for example using FTP or filesystem-level tools) should not be
     allowed.</p>

     <p><module>mod_dav</module> may be subject to various kinds of
     denial-of-service attacks.  The <directive
     module="core">LimitXMLRequestBody</directive> directive can be
     used to limit the amount of memory consumed in parsing large DAV
     requests.  The <directive
     module="mod_dav">DavDepthInfinity</directive> directive can be
     used to prevent <code>PROPFIND</code> requests on a very large
     repository from consuming large amounts of memory.  Another
     possible denial-of-service attack involves a client simply filling
     up all available disk space with many large files.  There is no
     direct way to prevent this in Apache, so you should avoid giving
     DAV access to untrusted users.</p>
 </section>

 <section id="complex"><title>Complex Configurations</title>

     <p>One common request is to use <module>mod_dav</module> to
     manipulate dynamic files (PHP scripts, CGI scripts, etc).  This is
     difficult because a <code>GET</code> request will always run the
     script, rather than downloading its contents.  One way to avoid
     this is to map two different URLs to the content, one of which
     will run the script, and one of which will allow it to be
     downloaded and manipulated with DAV.</p>

 <highlight language="config">
 Alias "/phparea" "/home/gstein/php_files"
 Alias "/php-source" "/home/gstein/php_files"
 &lt;Location "/php-source"&gt;
     Dav On
     ForceType text/plain
 &lt;/Location&gt;
 </highlight>

     <p>With this setup, <code>http://example.com/phparea</code> can be
     used to access the output of the PHP scripts, and
     <code>http://example.com/php-source</code> can be used with a DAV
     client to manipulate them.</p>
 </section>

 <directivesynopsis>
 <name>Dav</name>
 <description>Enable WebDAV HTTP methods</description>
 <syntax>Dav On|Off|<var>provider-name</var></syntax>
 <default>Dav Off</default>
 <contextlist><context>directory</context></contextlist>

 <usage>
     <p>Use the <directive>Dav</directive> directive to enable the
     WebDAV HTTP methods for the given container:</p>

     <highlight language="config">
 &lt;Location "/foo"&gt;
     Dav On
 &lt;/Location&gt;
     </highlight>

     <p>The value <code>On</code> is actually an alias for the default
     provider <code>filesystem</code> which is served by the <module
     >mod_dav_fs</module> module. Note, that once you have DAV enabled
     for some location, it <em>cannot</em> be disabled for sublocations.
     For a complete configuration example have a look at the <a
     href="#example">section above</a>.</p>

     <note type="warning">
       Do not enable WebDAV until you have secured your server. Otherwise
       everyone will be able to distribute files on your system.
     </note>
 </usage>
 </directivesynopsis>

 <directivesynopsis>
 <name>DavMinTimeout</name>
 <description>Minimum amount of time the server holds a lock on
 a DAV resource</description>
 <syntax>DavMinTimeout <var>seconds</var></syntax>
 <default>DavMinTimeout 0</default>
 <contextlist><context>server config</context><context>virtual host</context>
 <context>directory</context></contextlist>

 <usage>
     <p>When a client requests a DAV resource lock, it can also
     specify a time when the lock will be automatically removed by
     the server. This value is only a request, and the server can
     ignore it or inform the client of an arbitrary value.</p>

     <p>Use the <directive>DavMinTimeout</directive> directive to specify, in
     seconds, the minimum lock timeout to return to a client.
     Microsoft Web Folders defaults to a timeout of 120 seconds; the
     <directive>DavMinTimeout</directive> can override this to a higher value
     (like 600 seconds) to reduce the chance of the client losing
     the lock due to network latency.</p>

     <example><title>Example</title>
     <highlight language="config">
 &lt;Location "/MSWord"&gt;
     DavMinTimeout 600
 &lt;/Location&gt;
     </highlight>
     </example>
 </usage>
 </directivesynopsis>

 <directivesynopsis>
 <name>DavDepthInfinity</name>
 <description>Allow PROPFIND, Depth: Infinity requests</description>
 <syntax>DavDepthInfinity on|off</syntax>
 <default>DavDepthInfinity off</default>
 <contextlist><context>server config</context><context>virtual host</context>
 <context>directory</context></contextlist>

 <usage>
     <p>Use the <directive>DavDepthInfinity</directive> directive to
     allow the processing of <code>PROPFIND</code> requests containing the
     header 'Depth: Infinity'. Because this type of request could constitute
     a denial-of-service attack, by default it is not allowed.</p>
 </usage>
 </directivesynopsis>

 </modulesynopsis>
	<?xml version="1.0"?>
	<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
	<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
	<!-- $LastChangedRevision$ -->

	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<modulesynopsis metafile="mod_dav.xml.meta">

	<name>mod_dav</name>
	<description>Distributed Authoring and Versioning
	(<a href="http://www.webdav.org/">WebDAV</a>) functionality</description>
	<status>Extension</status>
	<sourcefile>mod_dav.c</sourcefile>
	<identifier>dav_module</identifier>

	<summary>
	<p>This module provides class 1 and class 2 <a
	href="http://www.webdav.org">WebDAV</a> ('Web-based Distributed
	Authoring and Versioning') functionality for Apache. This
	extension to the HTTP protocol allows creating, moving,
	copying, and deleting resources and collections on a remote web
	server.</p>
	</summary>
	<seealso><directive module="mod_dav_fs">DavLockDB</directive></seealso>
	<seealso><directive module="core">LimitXMLRequestBody</directive></seealso>
	<seealso><a href="http://www.webdav.org">WebDAV Resources</a></seealso>

	<section id="example"><title>Enabling WebDAV</title>
	<p>To enable <module>mod_dav</module>, add the following to a
	container in your <code>httpd.conf</code> file:</p>

	<highlight language="config">Dav On</highlight>

	<p>This enables the DAV file system provider, which is implemented
	by the <module>mod_dav_fs</module> module. Therefore, that module
	must be compiled into the server or loaded at runtime using the
	<directive module="mod_so">LoadModule</directive> directive.</p>

	<p>In addition, a location for the DAV lock database must be
	specified in the global section of your <code>httpd.conf</code>
	file using the <directive module="mod_dav_fs">DavLockDB</directive>
	directive:</p>

	<highlight language="config">
	DavLockDB /usr/local/apache2/var/DavLock
	</highlight>

	<p>The directory containing the lock database file must be
	writable by the <directive module="mod_unixd">User</directive>
	and <directive module="mod_unixd" >Group</directive> under which
	Apache is running.</p>

	<p>You may wish to add a <directive module="core" type="section"
	>Limit</directive> clause inside the <directive module="core"
	type="section">Location</directive> directive to limit access to
	DAV-enabled locations. If you want to set the maximum amount of
	bytes that a DAV client can send at one request, you have to use
	the <directive module="core">LimitXMLRequestBody</directive>
	directive. The "normal" <directive module="core"
	>LimitRequestBody</directive> directive has no effect on DAV
	requests.</p>

	<example><title>Full Example</title>
	<highlight language="config">
	DavLockDB "/usr/local/apache2/var/DavLock"

	<Directory "/usr/local/apache2/htdocs/foo">
	Require all granted
	Dav On

	AuthType Basic
	AuthName DAV
	AuthUserFile "user.passwd"

	<LimitExcept GET POST OPTIONS>
	Require user admin
	</LimitExcept>
	</Directory>
	</highlight>
	</example>

	</section>

	<section id="security"><title>Security Issues</title>

	<p>Since DAV access methods allow remote clients to manipulate
	files on the server, you must take particular care to assure that
	your server is secure before enabling <module>mod_dav</module>.</p>

	<p>Any location on the server where DAV is enabled should be
	protected by authentication. The use of HTTP Basic Authentication
	is not recommended. You should use at least HTTP Digest
	Authentication, which is provided by the
	<module>mod_auth_digest</module> module. Nearly all WebDAV clients
	support this authentication method. An alternative is Basic
	Authentication over an <a href="../ssl/">SSL</a> enabled
	connection.</p>

	<p>In order for <module>mod_dav</module> to manage files, it must
	be able to write to the directories and files under its control
	using the <directive module="mod_unixd">User</directive> and
	<directive module="mod_unixd">Group</directive> under which
	Apache is running. New files created will also be owned by this
	<directive module="mod_unixd">User</directive> and <directive
	module="mod_unixd">Group</directive>. For this reason, it is
	important to control access to this account. The DAV repository
	is considered private to Apache; modifying files outside of Apache
	(for example using FTP or filesystem-level tools) should not be
	allowed.</p>

	<p><module>mod_dav</module> may be subject to various kinds of
	denial-of-service attacks. The <directive
	module="core">LimitXMLRequestBody</directive> directive can be
	used to limit the amount of memory consumed in parsing large DAV
	requests. The <directive
	module="mod_dav">DavDepthInfinity</directive> directive can be
	used to prevent <code>PROPFIND</code> requests on a very large
	repository from consuming large amounts of memory. Another
	possible denial-of-service attack involves a client simply filling
	up all available disk space with many large files. There is no
	direct way to prevent this in Apache, so you should avoid giving
	DAV access to untrusted users.</p>
	</section>

	<section id="complex"><title>Complex Configurations</title>

	<p>One common request is to use <module>mod_dav</module> to
	manipulate dynamic files (PHP scripts, CGI scripts, etc). This is
	difficult because a <code>GET</code> request will always run the
	script, rather than downloading its contents. One way to avoid
	this is to map two different URLs to the content, one of which
	will run the script, and one of which will allow it to be
	downloaded and manipulated with DAV.</p>

	<highlight language="config">
	Alias "/phparea" "/home/gstein/php_files"
	Alias "/php-source" "/home/gstein/php_files"
	<Location "/php-source">
	Dav On
	ForceType text/plain
	</Location>
	</highlight>

	<p>With this setup, <code>http://example.com/phparea</code> can be
	used to access the output of the PHP scripts, and
	<code>http://example.com/php-source</code> can be used with a DAV
	client to manipulate them.</p>
	</section>

	<directivesynopsis>
	<name>Dav</name>
	<description>Enable WebDAV HTTP methods</description>
	<syntax>Dav On\|Off\|<var>provider-name</var></syntax>
	<default>Dav Off</default>
	<contextlist><context>directory</context></contextlist>

	<usage>
	<p>Use the <directive>Dav</directive> directive to enable the
	WebDAV HTTP methods for the given container:</p>

	<highlight language="config">
	<Location "/foo">
	Dav On
	</Location>
	</highlight>

	<p>The value <code>On</code> is actually an alias for the default
	provider <code>filesystem</code> which is served by the <module
	>mod_dav_fs</module> module. Note, that once you have DAV enabled
	for some location, it <em>cannot</em> be disabled for sublocations.
	For a complete configuration example have a look at the <a
	href="#example">section above</a>.</p>

	<note type="warning">
	Do not enable WebDAV until you have secured your server. Otherwise
	everyone will be able to distribute files on your system.
	</note>
	</usage>
	</directivesynopsis>

	<directivesynopsis>
	<name>DavMinTimeout</name>
	<description>Minimum amount of time the server holds a lock on
	a DAV resource</description>
	<syntax>DavMinTimeout <var>seconds</var></syntax>
	<default>DavMinTimeout 0</default>
	<contextlist><context>server config</context><context>virtual host</context>
	<context>directory</context></contextlist>

	<usage>
	<p>When a client requests a DAV resource lock, it can also
	specify a time when the lock will be automatically removed by
	the server. This value is only a request, and the server can
	ignore it or inform the client of an arbitrary value.</p>

	<p>Use the <directive>DavMinTimeout</directive> directive to specify, in
	seconds, the minimum lock timeout to return to a client.
	Microsoft Web Folders defaults to a timeout of 120 seconds; the
	<directive>DavMinTimeout</directive> can override this to a higher value
	(like 600 seconds) to reduce the chance of the client losing
	the lock due to network latency.</p>

	<example><title>Example</title>
	<highlight language="config">
	<Location "/MSWord">
	DavMinTimeout 600
	</Location>
	</highlight>
	</example>
	</usage>
	</directivesynopsis>

	<directivesynopsis>
	<name>DavDepthInfinity</name>
	<description>Allow PROPFIND, Depth: Infinity requests</description>
	<syntax>DavDepthInfinity on\|off</syntax>
	<default>DavDepthInfinity off</default>
	<contextlist><context>server config</context><context>virtual host</context>
	<context>directory</context></contextlist>

	<usage>
	<p>Use the <directive>DavDepthInfinity</directive> directive to
	allow the processing of <code>PROPFIND</code> requests containing the
	header 'Depth: Infinity'. Because this type of request could constitute
	a denial-of-service attack, by default it is not allowed.</p>
	</usage>
	</directivesynopsis>

	</modulesynopsis>